|Oracle® Fusion Middleware Developer's Guide for Oracle Adaptive Access Manager
Release 11g (11.1.1)
Part Number E15480-06
|PDF · Mobi · ePub|
In the context of an HTTP transaction, the basic access authentication is a method designed to allow a web browser, or other client program, to provide credentials – in the form of a user name and password – when making a request.
Rule result which can impact users such forcing them to register a security profile, KBA-challenging them, blocking access, asking them for PIN or password, and so on.
Adaptive Risk Manager
A category of Oracle Adaptive Access Manager features. Business and risk analytics, fraud investigation and customer service tools fall under the Adaptive Risk Manager category.
Adaptive Strong Authenticator
A category of Oracle Adaptive Access Manager features. All the end-user facing interfaces, flows, and authentication methods fall under the Adaptive Strong Authenticator category.
Rule results containing messages targeted to specific types of Oracle Adaptive Access Manager users.
An Application Programming Interface defines how to access a software-based service. Oracle Adaptive Access Manager provides APIs to fingerprint devices, collect authentication and transaction logs, run security rules, challenge the user to answer pre-registered questions correctly, and generate virtual authentication devices such as KeyPad, TextPad, or QuestionPad.
Attributes are the particular pieces of information associated with the activity being tracked. An example is the time of day for a login. Patterns collect data about members. If the member type is User, the pattern will collect data about users.
The process of verifying a person's, device's, application's identity. Authentication deals with the question "Who is trying to access my services?"
Authentication Status is the status of the session (each login/transaction attempt creates a new session).
Examples are listed below:
If a user logs in for the first time and he goes through the registration process, but decides not to complete the registration process and logs out, the authentication status for this user session is set as "Pending Activation."
If a user logs in from a different device/location, he is challenged. He answers the challenge questions incorrectly in all the three attempts, the authentication status for this session is set as "Wrong Password."
If a user logs in and is taken to the final transaction page or success page, the authentication status for the particular session is set as "Success."
If the user is a fraud and is blocked, the status for the session is set as "Block."
Authorization regards the question "Who can access what resources offered by which components?"
Autolearning is a set of features in Oracle Adaptive Access Manager that dynamically profile behavior in real-time. The behavior of users, devices and locations are recorded and used to evaluate the risk of current behavior.
A given list of users, devices, IP addresses, networks, countries, and so on that are blocked. An attack from a given member can show up on a report and be manually added to a blacklist at the administrator's discretion.
If a user is "Blocked," it is because a policy has found certain conditions to be "true" and is set up to respond to these conditions with a "Block Action." If those conditions change, the user may no longer be "Blocked." The "Blocked" status is not necessarily permanent and therefore may or may not require an administrator action to resolve. For example, if the user was blocked because he was logging in from a blocked country, but he is no longer in that country, he may no longer be "Blocked."
Software applications that run automated or orchestrated tasks on compromised PCs over the internet. An organization of bots is known as a bot net or zombie network.
When the user accesses the system, OAAM collects information about the computer. By combining all that data, the site creates a fingerprint of the user's browser. This fingerprint could potentially uniquely identify the user. Information gathered that makes up the browser fingerprint include the browser type used, plug-ins installed, system fonts, and the configuration and version information from the operating system, and whether or not the computer accepts cookies.
The browser and flash fingerprints are tracked separately. The fingerprints are available in the session listing and details pages and you can get further details about the fingerprint by opening the respective details pages. Hence, you can have both fingerprints available, but if the user has not installed flash then the digital fingerprint (flash) is set to null.
Cases provide tools to track and solve customer service issues.
A case is a record of all the actions performed by the CSR to assist the customer as well as various account activities of the customer. Each case is allocated a case number, a unique case identification number.
Challenge Questions are a finite list of questions used for secondary authentication.
During registration, users are presented with several question menus. For example, he may be presented with three question menus. A user must select one question from each menu and enter answers for them during registration. Only one question from each question menu can be registered. These questions become the user's "registered questions."
When rules in OAAM Admin trigger challenge questions, OAAM Server displays the challenge questions and accepts the answers in a secure way for users. The questions can be presented in the QuestionPad, TextPad, and other pads, where the challenge question is embedded into the image of the authenticator, or simple HTML.
Configuration of a type of challenge (ChallengeEmail, ChallengeSMS, ChallengeQuestion)
A checkpoint is a specified point in a session when Oracle Adaptive Access Manager collects and evaluates security data using the rules engine.
Examples of checkpoints are:
Pre-authentication - Rules are run before a user completes the authentication process.
Post-authentication - Rules are run after a user is successfully authenticated.
Configurable Actions allow a user to create new supplementary actions that occur after the running of rules.
Status of the user that has completed registration. To be registered a user may need to complete all of the following tasks: Personalization (image and phrase), registering challenge questions/answers and email/cell phone.
Conditions are configurable evaluation statements used in the evaluation of historical and runtime data.
A cookie is a small string of text or data stored on a user's computer. Oracle Adaptive Access Manager uses two types of cookies to perform device identification. One is the browser cookie (also known as secure cookie) and the other is the flash cookie (also known as digital cookie). The browser cookie value is constructed using the browser user agent string. The flash cookie value is constructed using data from the OAAM flash movie.
Customer service representatives resolve low risk customer issues originating from customer calls. CSRs has limited access to OAAM Admin
View the reason why a login or transaction was blocked
View a severity flag with alert status to assist in escalation
Complete actions such as issuing temporary allow for a customer
A CSR Manager is in charge of overall management of CSR type cases. CSR Managers have all the access and responsibilities of a CSR plus access to more sensitive operations.
Data mining is the practice of automatically searching large stores of data to discover patterns and trends that go beyond simple analysis. Data mining uses sophisticated mathematical algorithms to segment the data and evaluate the probability of future events. Data mining is also known as Knowledge Discovery in Data (KDD). Data mining can answer questions that cannot be addressed through simple query and reporting techniques.
An attribute of data that represents the kind and structure of the data. For example, String.
Delivery mechanism used to send the OTP to the user. Email, SMS, IM, and so on are delivery channels.
Device fingerprinting collects information about the device such as browser type, browser headers, operating system type, locale, and so on. Fingerprint data represents the data collected for a device during the login process that is required to identify the device whenever it is used to log in. The fingerprinting process produces a fingerprint that is unique to the user and designed to protect against the "replay attacks" and the "cookie based registration bypass" process. The fingerprint details help in identifying a device, check whether it is secure, and determine the risk level for the authentication or transaction.
A customer typically uses these devices to log in: desktop computer, laptop computer, PDA, cell phone, kiosk, or other web enabled device.
During the registration process, the user is given an option to register his device to the system. If a user tries to login from a registered device, the application knows that it is a safe and secure device and allows the user to proceed with his transactions. This process is also called device identification.
Device registration is a feature that allows a user to flag the device (computer, mobile, PDA, and others) being used as a safe device. The customer can then configure the rules to challenge a user that is not coming from one of the registered devices.
Once the feature is enabled, information about the device is collected for that user. To make use of the information being collected, policies must be created and configured. For example, a policy could be created with rules to challenge a user who is not logging in from one of the registered devices.
A tool to edit entities, a user-defined structure that can be reused across different transactions. Only appropriate and related fields should be grouped into an Entity.
An entity is a user-defined data structure that can be re-used across different transactions.
Date when CSR case expires. By default, the length of time before a case expires is 24 hours. After 24 hours, the status changes from the current status to Expired. The case could be in pending, escalated statuses when it expires. After the case expires, the user will not be able to open the case anymore, but the CSR Manager can. The length of time before a case expires is configurable.
Two execution types for configurable actions are listed:
Synchronous - Synchronous actions are executed in the order of their priority in ascending order. For example, if the user wants to create a case and then send an email with the Case ID, the user would choose synchronous actions. Synchronous actions will trigger/execute immediately.
If the actions are executing in sequential order and one of the actions in the sequence does not trigger, the other actions will still trigger.
Asynchronous actions are queued for execution but not in any particular sequence. For example, if you want to send an email or perform some action and do not care about executing it immediately and are not interested in any order of execution, you would choose asynchronous actions.
User-defined enums are a collection of properties that represent a list of items. Each element in the list may contain several different attributes. The definition of a user-defined enum begins with a property ending in the keyword ".enum" and has a value describing the use of the user-defined enum. Each element definition then starts with the same property name as the enum, and adds on an element name and has a value of a unique integer as an ID. The attributes of the element follow the same pattern, beginning with the property name of the element, followed by the attribute name, with the appropriate value for that attribute.
The following is an example of an enum defining credentials displayed on the login screen of an OAAM Server implementation:
bharosa.uio.default.credentials.enum = Enum for Login Credentials bharosa.uio.default.credentials.enum.companyid=0 bharosa.uio.default.credentials.enum.companyid.name=CompanyID bharosa.uio.default.credentials.enum.companyid.description=Company ID bharosa.uio.default.credentials.enum.companyid.inputname=comapanyid bharosa.uio.default.credentials.enum.companyid.maxlength=24 bharosa.uio.default.credentials.enum.companyid.order=0 bharosa.uio.default.credentials.enum.username=1 bharosa.uio.default.credentials.enum.username.name=Username bharosa.uio.default.credentials.enum.username.description=Username bharosa.uio.default.credentials.enum.username.inputname=userid bharosa.uio.default.credentials.enum.username.maxlength=18 bharosa.uio.default.credentials.enum.username.order=1
This algorithm handles Answers with typos due to the proximity of keys on a standard keyboard.
Flash fingerprinting is similar to browser fingerprinting but a flash movie is used by the server to set or retrieve a cookie from the user's machine so a specific set of information is collected from the browser and from flash. The flash fingerprint is only information if flash is installed on the client machine.
The fingerprints are tracked separately. The fingerprints are available in the session listing and details pages and you can get further details about the fingerprint by opening the respective details pages. Hence, you can have both fingerprints available, but if the user has not installed flash then the digital fingerprint (flash) is set to null.
A Fraud Investigator primarily looks into suspicious situations either escalated from customer service or directly from Oracle Adaptive Access Manager alerts. Agents have access to all of the customer care functionality as well as read only rights to security administration and BI Publisher reporting.
Fraud Investigation Manager
A Fraud Investigation Manager has all of the access and duties of an investigator plus the responsibility to manage all cases. An Investigation Manager must routinely search for expired cases to make sure none are pending.
A fraud scenario is a potential or actual deceptive situation involving malicious activity directed at a company's online application.
For example, you have just arrived at the office on Monday and logged into OAAM Admin. You notice that there are a high number of logins with the status "Wrong Password" and "Invalid User" coming in from a few users. Some appear to be coming in from different countries, and some appear to be local. You receive a call from the fraud team notifying you that some accounts have been compromised. You must come up with a set of rules that can identify and block these transactions.
Collection of like items. Groups are found in the following situations
Groups are used in rule conditions
Groups that link policy to user groups
Action and alert groups
A job is a collection of tasks that can be run by OAAM. You can perform a variety of jobs such as load data, run risk evaluation, roll up monitor data, and other jobs.
KBA Phone Challenge
Users can be authenticated over the phone using their registered challenge questions. This option is not available for unregistered users or in deployments not using KBA.
Virtual keyboard for entry of passwords, credit card number, and on. The KeyPad protects against Trojan or keylogging.
Software that captures a user's keystrokes. Keylogging software can be used to gather sensitive data entered on a user's computer.
Knowledge Based Authentication (KBA)
OAAM knowledge based authentication (KBA) is a user challenge infrastructure based on registered challenge questions. It handles Registration Logic, challenge logic, and Answer Logic.
"Locked" is the status that Oracle Adaptive Access Manager sets if the user fails a KBA or OTP challenge. The "Locked" status is only used if the KBA or One Time-Password (OTP) facility is in use.
OTP: OTP sends a one-time PIN or password to the user through a configured delivery method, and if the user exceeds the number of retries when attempting to provide the OTP code, the account becomes "Locked."
KBA: For online challenges, a customer is locked out of the session when the Online Counter reaches the maximum number of failures. For phone challenges, a customer is locked out when the maximum number of failures is reached and no challenge questions are left.
After the lock out, a Customer Service Representative must reset the status to "Unlocked" before the account can be used to enter the system.
Malware is software designed to infiltrate or damage a computer system without the owner's informed consent. Malware may contain key loggers or other types of malicious code.
Man-In-The-Middle-Attack (Proxy Attacks)
An attack in which a fraudster is able to read, insert and modify at will, messages between two parties without either party knowing that the link between them has been compromised
Multifactor authentication (MFA) is a security system in which more than one form of authentication is implemented to verify the legitimacy of a transaction. In contrast, single factor authentication (SFA) involves only a User ID and password.
Multiprocessing Modules (MPMs)
Apache httpd ships with a selection of Multi-Processing Modules (MPMs) which are responsible for binding to network ports on the machine, accepting requests, and dispatching children to handle the requests.
Mutual authentication or two-way authentication (sometimes written as 2WAY authentication) refers to two parties authenticating each other suitably. In technology terms, it refers to a client or user authenticating himself to a server and that server authenticating itself to the user in such a way that both parties are assured of the others' identity.
Native integration involves customizing the application to include OAAM API calls at various stages of the login process. The application invokes Oracle Adaptive Access Manager directly and the application itself manages the authentication and challenge flows.
SOAP service wrapper API: The application communicates with Oracle Adaptive Access Manager using the Oracle Adaptive Access Manager native client API (SOAP service wrapper API) or via Web services. The application makes SOAP calls to interact with Oracle Adaptive Access Manager.
Static linking: The processing engine for Oracle Adaptive Access Manager (OAAM Library) is imbedded with the application. It leverages the underlying database directly for processing.
Administration Web application for all environment and Adaptive Risk Manager and Adaptive Strong Authenticator features.
Adaptive Risk Manager and Adaptive Strong Authenticator features, Web services, LDAP integration and user Web application used in all deployment types except native integration
One Time Password (OTP)
One Time Password (OTP) is a form of out of band authentication that is used as a secondary credential and generated at pre-configured checkpoints based on the policies configured.
OTP Anywhere is a risk-based challenge solution consisting of a server generated one time password delivered to an end user via a configured out of band channel. Supported OTP delivery channels include short message service (SMS), eMail, instant messaging and voice. OTP Anywhere can be used to compliment KBA challenge or instead of KBA. As well both OTP Anywhere and KBA can be used alongside practically any other authentication type required in a deployment. Oracle Adaptive Access Manager also provides a challenge processor framework. This framework can be used to implement custom risk-based challenge solutions combining third party authentication products or services with OAAM real-time risk evaluations.
Oracle Adaptive Access Manager
A product to protect the enterprise and its customers online.
Oracle Adaptive Access Manager
provides multifactor authentication security
evaluates multiple data types to determine risk in real-time
aids in research and development of fraud policies in offline environment
integrates with access management applications
Oracle Adaptive Access Manager is composed of two primary components: OAAM Server and OAAM Admin.
Oracle Data Mining (ODM)
Oracle Data Mining is an option to the Oracle Database EE, provides powerful data mining functionality
Out Of Band Authentication
The use of two separate networks working simultaneously to authenticate a user. For example: email, SMS, phone, and so on.
Patterns are configured by an administrator and record the behavior of the users, device and locations accessing the system by creating a digest of the access data. The digest or profile information is then stored in a historical data table. Rules evaluate the patterns to dynamically assess risk levels.
Status of the user who has an image, a phrase and questions active. Personalization consists of a personal background image and phrase. The timestamp is generated by the server and embedded in the single-use image to prevent reuse. Each Authenticator interface is a single image served up to the user for a single use.
Pharming (pronounced farming) is an attack aiming to redirect a Web site's traffic to another, bogus Web site.
A criminal activity utilizing social engineering techniques to trick users into visiting their counterfeit Web application. Phishers attempt to fraudulently acquire sensitive information, such as user names, passwords and credit card details, by masquerading as a trustworthy entity. Often a phishing exercise starts with an email aimed to lure in gullible users.
A plug-in consists of a computer program that interacts with a host application (a web browser or an email client, for example) to provide a certain, usually very specific, function "on demand".
Policies contain security rules and configurations used to evaluate the level of risk at each checkpoint.
A policy set is the collection of all the currently configured policies used to evaluate traffic to identify possible risks. The policy set contains the scoring engine and action/score overrides.
Policy has three status which defines the state of the object or its availability for business processes.
Deleted is not used.
When a policy is deleted, it is permanently deleted from the database.
By Default every new policy created has status as "Active."
Every copied policy has a default status as "Disabled."
Rules are run after the user password has been authenticated. Common actions returned by post-authentication checkpoint include:
Allow to allow the user to proceed forward.
Block to block the user from proceeding forward.
Challenge to challenge the user.
Rules are run before the user is authenticated. Common values returned by the pre-authentication checkpoint include:
Allow to allow the user to proceed forward.
Block to block the user from proceeding forward.
Predictive analytics encompasses a variety of techniques from statistics, data mining and game theory that analyze current and historical facts to make predictions about future events.
Status of the user who has completed registration and questions exists by which he can be challenged.
The total number of questions a customer can choose from when registering challenge questions.
Device that presents challenge questions for users to answer before they can perform sensitive tasks. This method of data entry helps to defend against session hijacking.
An enrollment process wherein the customer registers challenge questions, secret images, text phrases, one-time passwords, and so on for another layer of security in addition to the login process.
A customer's registered questions are the questions that he selected and answered during registration or reset. Only one question from each question menu can be registered.
Score refers to the numeric scoring used to evaluate the risk level associated with a specific situation. A policy results in a score.
Scoring engines are used at the policy and policy set levels. The Policy Scoring Engine is used to calculate the score produced by the different rules in a policy. The Policy Set Scoring Engine is used to calculate the final score based on the scores of policies.
Where there are numerous inputs, scoring is a able to summarize all these various points into a score that decisions can be based on.
Security tokens (or sometimes a hardware token, hard token, authentication token, USB token, cryptographic token) are used to prove one's identity electronically (as in the case of a customer trying to access their bank account). The token is used in addition to or in place of a password to prove that the customer is who they claim to be. The token acts like an electronic key to access something.
A marker to communicate to case personnel how severe this case is. The severity level is set by whomever creates the case. The available severity levels are High, Medium, and Low. If a customer suspects fraud, then the severity level assigned is "High." For example, if the customer wants a different image, then the severity level assigned is "Low." Severity levels of a case can be escalated or deescalated as necessary.
The term Session Hijacking refers to the exploitation of a valid computer session - sometimes also called a session key - to gain unauthorized access to information or services in a computer system
A snapshot is a zip file that contains Oracle Adaptive Access policies, dependent components and configurations for backup, disaster recovery and migration. Snapshots can be saved to the database for fast recovery or to a file for migration between environments and backup. Restoring a snapshot is a process that includes visibility into exactly what the delta is and what actions will be taken to resolve conflicts.
SOAP, originally defined as Simple Object Access Protocol, is a protocol specification for exchanging structured information in the implementation of Web Services in computer networks. It relies on Extensible Markup Language (XML) as its message format, and usually relies on other Application Layer protocols (most notably Remote Procedure Call (RPC) and HTTP) for message negotiation and transmission. SOAP can form the foundation layer of a web services protocol stack, providing a basic messaging framework upon which web services can be built.
Social engineering is a collection of techniques used to manipulate people into performing actions or divulging confidential information to a fraudulent entity.
In the context of network security, a spoofing attack is a situation in which one person or program successfully masquerades as another by falsifying data and thereby gaining an illegitimate advantage.
Spyware is computer software that is installed surreptitiously on a personal computer to intercept or take partial control over the user's interaction with the computer, without the user's informed consent.
An authentication factor is a piece of information and process used to authenticate or verify the identity of a person or other entity requesting access under security constraints. Two-factor authentication (T-FA) is a system wherein two different factors are used in conjunction to authenticate. Using two factors as opposed to one factor generally delivers a higher level of authentication assurance.
Using more than one factor is sometimes called strong authentication.
Temporary account access that is granted to a customer who is being blocked from logging in or performing a transaction.
Personalized device for entering a password or PIN using a regular keyboard. This method of data entry helps to defend against phishing. TextPad is often deployed as the default for all users in a large deployment then each user individually can upgrade to another device if they wish. The personal image and phrase a user registers and sees every time they login to the valid site serves as a shared secret between user and server.
A transaction defines the data structure and mapping to support application event/transaction analytics.
Data that is an abstract item or that does not have any attributes by itself, does not fit into any entity, which exists or is unique by itself is defined as transaction data.
Items that cannot fall into an entity are classified as standalone data.
A classic example is amount or code.
Application data is mapped using the transaction definition before transaction monitoring and profiling can begin. Each type of transaction Oracle Adaptive Access Manager deals with should have a separate transaction definition.
This key value is used to map the client/external transaction data to transactions in the Oracle Adaptive Access Manager Server.
The Transaction Definitions that have been configured in this specific installation such as authentication, bill pay, wire transfer, and others.
A program that installs malicious software while under the guise of doing something else.
Virtual Authentication Devices
A personalized device for entering a password or PIN or an authentication credential entry device. The virtual authentication devices harden the process of entering and transmitting authentication credentials and provide end users with verification they are authenticating on the valid application.